This site requires JavaScript to be enabled

Implementation Details of Strong Authentication at Fermilab

14 views

2.0 - Updated on 2021-02-18 by Carlos Salazar (Inactive)

1.0 - Authored on 2014-04-18 by Fang Wang

Implementation Details of Strong Authentication at Fermilab

 

Intended for:

Kerberos users and system administrators.


Scenario/Use case:

This article describes the concept of strong authentication and the features and environment as implemented at Fermilab.


Details:

What is "Strong Authentication"?

Definition

A succinct definition of strong authentication was given by Tardo and Alagappan (J.J. Tardo and K. Alagappan, "SPX: Global Authentication Using Public Key Certificates." In Proc IEEE Symp. Research in Security and Privacy. IEEE CS Press, 1991):

 

"Techniques that permit entities to provide evidence that they know a particular secret without revealing the secret."

 

In more practical terms, it is a system of verifying workstation user and network server identities on an unprotected network in which the parties must demonstrate knowledge of a "secret" rather than transmit a password. Typically the verification is done via a trusted third-party authentication service using conventional cryptography. Strong authentication avoids relying on authentication by the host operating system or basing trust on host addresses. It does not require that the network be safe from eavesdropping, or from injection of hostile packets or alteration/deletion of packets (the Kerberos authentication process can fail if too many packets are altered or deleted, e.g., all of them in one or both directions, until the client gives up).

Goals of Strong Authentication at Fermilab

Fermilab must demonstrate to the DOE that it is implementing a computer security system that exercises tight control over who uses the lab's computers and network (which are owned by the government). The Computing Sector has been charged with implementing Strong Authentication to meet Fermilab's obligation.

A primary goal of this effort is to essentially eliminate the transmission of clear text reusable passwords over the network and their storage on local systems. It is impossible to entirely prevent the transmission of clear text passwords, but we are implementing a solution that removes the most common opportunities as well as most of the necessity for typing a password.

Other important goals for us include:

 

The Authentication Model Implemented at Fermilab

The strong authentication service implemented at Fermilab is the Kerberos Network Authentication Service V5. We describe many of its features in About the Kerberos V5 Network Authentication Service. In this section we describe the model more generally.

The Realms

The model employed at Fermilab divides the computing environment into three realms:

The strengthened realm

The strengthened realm consists of all systems (whether on- or off-site) that require strong authentication for access from the network. On a strengthened system, all traditional means of access that use weak authentication, such as telnet, rlogin, FTP, and so on, are replaced with strengthened versions of these programs. Means of access over the network that do not involve passwords are allowed. Weak authentication (standard security) is allowed for local access only, i.e., via the console or locally attached display.

The production realm at Fermilab for UNIX machines is called FNAL.GOV, and for Windows, there is FERMI.WIN.FNAL.GOV.

The trusted realm

Other sites which implement strong authentication, and which meet certain criteria, may be recognized by the strengthened realm at Fermilab as a "trusted" realm. Trusted realms provide levels of security and authentication equivalent to our own. Trust relations (cross-authentication) between the trusted realm and the strengthened realm allow access without further authentication (i.e., the authentication takes place only when user accesses either realm individually).

The untrusted realm

The untrusted realm consists of those systems that do not require strong authentication and that permit traditional means of access. These systems typically expose clear-text passwords on the network.

Relationships between the Realms

The figures below illustrate the relationships between these realms. (The Key Distribution Center, or KDC, shown on these figures is described in About the Kerberos V5 Network Authentication Service.)



Direct connections between machines in the strengthened realm are allowed (the Key Distribution Center is involved in providing credentials to the client's machine which can be passed along to access the other strengthened machine).



Direct connections from the strengthened to the untrusted realm are allowed.



One-time passwords are used for direct connections from the untrusted to the strengthened realm at Fermilab. Strengthened machines are configured to respond in portal mode when requests for access come from machines in the untrusted realm. In portal mode, the strengthened machine acts as a secure gateway into the strengthened realm, requiring a single-use password for authentication. This avoids transmission of reusable clear-text passwords over a potentially unprotected network.

Different programs exist for generating non-reusable passwords, and at Fermilab we currently support RSA SecureId Token (described in Using RSA SecureID Token). No special hardware or software is required on the untrusted system.



For connections between untrusted machines, strong authentication is not involved. The standard network programs are used in the normal way.

Features of Strong Authentication at Fermilab

The strong authentication model implemented at Fermilab:

 


See Also: